The state of Connecticut recently enacted the nation’s fifth data privacy law (the Act) that establishes obligations for businesses in the state who process and manage consumer’s data and creates privacy standards for data controllers and processors. The Act follows bills passed in Virginia, California, Colorado, and Utah. The Act largely follows Virginia’s data privacy law, the VCDPA, with only a few variations. The Act will take effect on July 1, 2023, and effected entities must cure any violations of the Act before December 31, 2024.
The Act applies to individuals and entities that (1) operate a business in Connecticut or produce products or services that target residents of Connecticut, (2) and during the preceding year either (A) controlled or processed the data of at least 100,000 consumers, or (B) controlled or processed the data of more than 25,000 consumers and derived more than 25% of their gross revenue from the sale of data. The Act excludes data that individuals and entities obtain to complete a transaction. The Act covers “consumers” that reside in Connecticut and does not include an individual “acting in a commercial or employment context.”
The Act does not apply to (1) state bodies, (2) nonprofit organizations, (3) institutions of higher education, (4) securities associations registered with the SEC, (5) financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act, and (6) certain data covered under HIPPA. The Act excludes financial institutions and other data because the FTC and other federal banking agencies promulgate rules for financial institutions to follow when controlling or processing data.
The Act gives Connecticut consumers, or a person designated to serve as the consumer’s authorized agent, the right to (i) confirm whether a controller is processing the consumer’s data; (ii) correct inaccuracies in the data obtained; (iii) delete data obtained; (iv) obtain a copy of the data that the controller holds; and (v) opt out of the processing of data for (A) targeted advertising, (B) the sale of data, or (C) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. The Act also requires controllers to receive children’s (age 13-16) consent before any controller can sell their data. These consumer rights mirror the rights that consumers get under the VCDPA, excluding the consent for the sale of children’s data.
Notice Requirements and Other Obligations
Controllers must respond to a consumer’s request within 45 days of receiving the request. When reasonably necessary, controllers can extend the 45-day time-period to accommodate for more complex consumer requests, but the controller must inform the consumer of the extension. Controllers that refuse to act on a consumer’s request must inform the consumer of their decision within 45 days of the consumer’s request. All correspondence regarding a consumer’s request must be free of charge, unless the consumer submits unfounded, excessive, or repetitive requests.
The Act mandates that controllers must (1) limit the collection of data, (2) process data only for the purposes that the controller discloses to the consumer, (3) create and implement administrative, technical, and physical data security practices, (4) prevent processing consumer’s data without obtaining consent, (5) prevent processing data in violation of antidiscrimination laws, and (6) provide a process where a consumer can revoke the consent given to process data and cease processing of the data within 15 days of the consumer’s request.
Penalties and Enforcement
The law does not provide for a private right of action. The Attorney General for the State of Connecticut is the sole party with the power to bring an action under the Act.